You can change the primary key (previously called a master key) of a key provider, for example, when you want to rotate the primary key that is used.

See Virtual Machine Encryption Best Practices for guidance about key life cycle.


Create and activate a key on the KMS to be used as the new primary key for the trusted key provider. This key wraps other keys and secrets used by this trusted key provider. See your KMS vendor documentation for more information about creating keys.


  1. Run the Set-TrustAuthorityKeyProvider command.
    For example:
    Set-TrustAuthorityKeyProvider -MasterKeyId Key-ID
  2. Verify the status of the key provider.
    1. Assign Get-TrustAuthorityCluster information to a variable.
      For example:
      $vTA = Get-TrustAuthorityCluster 'vTA Cluster'
    2. Assign the Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA information to a variable.
      For example:
      $kp = Get-TrustAuthorityKeyProvider -TrustAuthorityCluster $vTA
    3. Verify the status of the key provider by running $kp.Status.
      For example:
      KeyProviderId Health HealthDetails ServerStatus
      ------------- ------ ------------- ------------
      domain-c8-kp4     Ok {}            {IP_address}
      A Health status of Ok indicates that the key provider is running correctly.


The new primary key is used for any new encryption operations. Data encrypted with the old primary key is still decrypted using the old key.